none
Assciators of users in Powershell RRS feed

  • Question

  • Hi,

    I am using the following to know the groups of the user using powershell.

    Associators of {Win32_UserAccount.Name='$username',Domain='$domainname'} WHERE AssocClass=Win32_GroupUser

    On some windows 2008 machines it passes and on some it fails.

    If someone could shed light as to why it timesout/fails, it would be great.

    Also is there any logging provided by Windows machines by default where why these powershell queries fail or behave ?

    Thanks

    Randeep

    Wednesday, October 15, 2014 3:16 PM

Answers

  • Net localgroup does work, but 1) it only works on the current computer and 2) it doesn't work if the group name is different (i.e., localized or renamed Administrators group name).

    See the following blog post for a WMI script that doesn't suffer from these limitations:

    Weekend Scripter: Who are the Administrators?

    You can also use ADSI to determine the Administrators group but it's not quite as straightforward. This article gives one example of how to do it:

    Windows IT Pro: Resetting the Local Administrator Password on Computers

    Basically, it looks like:


    $computerName = $Env:COMPUTERNAME
    $computer = [ADSI] "WinNT://$computerName,Computer"
    foreach ( $childObject in $computer.Children ) {
      # Skip objects that are not users.
      if ( $childObject.Class -ne "User" ) {
        continue
      }
      $type = "System.Security.Principal.SecurityIdentifier"
      $childObjectSID = new-object $type($childObject.objectSid[0],0)
      if ( $childObjectSID.Value.EndsWith("-500") ) {
        "Local Administrator account name: $($childObject.Name[0])"
        "Local Administrator account SID: $($childObjectSID.Value)"
        break
      }
    }
    


    -- Bill Stewart [Bill_Stewart]


    Thursday, December 11, 2014 4:44 PM
    Moderator

All replies

  • Hi,

    Generally you'll see error messages right in the console. You can also check the Windows PowerShell event log to see if there's any information there.

    Personally, I'd do something like this to get group memberships:

    Get-ADPrincipalGroupMembership USERNAME |
        Sort Name |
            Select -ExpandProperty Name


    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    Wednesday, October 15, 2014 3:23 PM
  • You don't explain what "it fails" means. Do you get an error message? If so, what is it? (We can't see your screen).

    I would also suggest that there are more effcient ways of retrieving group membership than by using WMI. Usually the AD cmdlets would be the preferred approach.


    get-aduser username -properties memberOf | select-object -expandproperty memberOf



    -- Bill Stewart [Bill_Stewart]

    Wednesday, October 15, 2014 3:24 PM
    Moderator
  • The failure is likely "not found" and the cause is that it will only work on a domain controller or is the $domain is set to the local machine and the $username is set to a local account.

    Can you tell us why you need to do this?


    ¯\_(ツ)_/¯

    Wednesday, October 15, 2014 3:38 PM
  • Note that WMI failure are no logged by PowerShell most are not logged by WMI unless you enable enhanced logging.


    ¯\_(ツ)_/¯

    Wednesday, October 15, 2014 3:39 PM
  • Error with a bogus domain:

    PS C:\scripts> $wql
    Associators of {Win32_UserAccount.Name='testuser',Domain='w8testx'} WHERE AssocClass=Win32_GroupUser
    PS C:\scripts> gwmi -Query $wql
    gwmi : Not found
    At line:1 char:1
    + gwmi -Query $wql
    + ~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
        + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
    
    PS C:\scripts>


    ¯\_(ツ)_/¯

    Wednesday, October 15, 2014 3:45 PM
  • Query that will work on any system:

    PS C:\scripts> $domainname=$env:COMPUTERNAME
    PS C:\scripts> $username='Guest'
    PS C:\scripts> $wql="Associators of {Win32_UserAccount.Name='$username',Domain='$domainname'} WHERE AssocClass=Win32_Gro
    upUser"
    PS C:\scripts> $wql
    Associators of {Win32_UserAccount.Name='Guest',Domain='W8TEST'} WHERE AssocClass=Win32_GroupUser
    PS C:\scripts> gwmi -Query $wql
    
    Caption                       Domain                        Name                          SID
    -------                       ------                        ----                          ---
    W8TEST\Guests                 W8TEST                        Guests                        S-1-5-32-546
    


    ¯\_(ツ)_/¯

    Wednesday, October 15, 2014 3:48 PM
  • Apologies everybody!

    Once the query was run, the window would freeze for a very long time. And i suspected something to be wrong with the query.

    When i ran these 2 standalone. I realised that since there is a large number of users and groups, it was taking for ever.

    gwmi -class Win32_UserAccount
    gwmi -class Win32_GroupUser

    Monday, November 3, 2014 2:56 PM
  • The answer is that unless you target your WMI query very specifically, it scales poorly when doing these kinds of queries even in a moderately sized AD environment. It is much more efficient to query AD directly, using the .NET classes or (even easier) the PowerShell AD cmdlets.

    -- Bill Stewart [Bill_Stewart]

    Monday, November 3, 2014 3:17 PM
    Moderator
  • Thanks Bill.

    Yes, the query formation matters.

    But in the env i ran the below query.

    gwmi -class Win32_UserAccount
    gwmi -class Win32_GroupUser

    Each of the query above took more than 20min each, so no matter how i form the query (Associators of {Win32_UserAccount.Name='$username',Domain='$domainname'} WHERE AssocClass=Win32_GroupUser), it still still going to take more than 20min.

    I dont have AD installed on these machines, isnt there a known alternative?

    Thanks

    Thursday, November 27, 2014 11:55 AM
  • Use ADSI with PowerShell to ist users and AD objects.

    $users=([adsisearcher]'(&{objectclass=person)(objectcategory=user))}.FindAll()

    http://blogs.technet.com/b/heyscriptingguy/archive/2009/03/17/how-can-i-search-active-directory-from-within-windows-powershell.aspx


    ¯\_(ツ)_/¯


    • Edited by jrv Thursday, November 27, 2014 12:27 PM
    Thursday, November 27, 2014 12:26 PM
  • Thanks jrv.

    I haven't tried the command, but looks like it lists all the users and again i need to go through the groups to identify admins

    My intent is to list the admins , domain or local.

    Thursday, November 27, 2014 4:47 PM
  • First start by learning how AD and local accounts work in WIndows.  You cannot get local admins from AD.  You can only get them by querying the individual systems.

    To get domain admins just query the Domian Admins group using ADSI.

    Staart here: http://technet.microsoft.com/en-us/scriptcenter/dd793613

    There are many examples and full scripts that do what you want.


    ¯\_(ツ)_/¯

    Thursday, November 27, 2014 5:05 PM
  • Use ADSI and not WMI to get the information. For local accounts, you will need to use the WinNT provider. For Active Directory, you can use the WinNT provider also, but usually the LDAP provder is preferable.


    -- Bill Stewart [Bill_Stewart]

    Thursday, November 27, 2014 6:19 PM
    Moderator
  • I found the command net localgroup administrators to be more useful and good substitute for the associators.

    It lists both the local and domain users that are part of administrators group.

    Thursday, December 11, 2014 4:05 AM
  • Net localgroup does work, but 1) it only works on the current computer and 2) it doesn't work if the group name is different (i.e., localized or renamed Administrators group name).

    See the following blog post for a WMI script that doesn't suffer from these limitations:

    Weekend Scripter: Who are the Administrators?

    You can also use ADSI to determine the Administrators group but it's not quite as straightforward. This article gives one example of how to do it:

    Windows IT Pro: Resetting the Local Administrator Password on Computers

    Basically, it looks like:


    $computerName = $Env:COMPUTERNAME
    $computer = [ADSI] "WinNT://$computerName,Computer"
    foreach ( $childObject in $computer.Children ) {
      # Skip objects that are not users.
      if ( $childObject.Class -ne "User" ) {
        continue
      }
      $type = "System.Security.Principal.SecurityIdentifier"
      $childObjectSID = new-object $type($childObject.objectSid[0],0)
      if ( $childObjectSID.Value.EndsWith("-500") ) {
        "Local Administrator account name: $($childObject.Name[0])"
        "Local Administrator account SID: $($childObjectSID.Value)"
        break
      }
    }
    


    -- Bill Stewart [Bill_Stewart]


    Thursday, December 11, 2014 4:44 PM
    Moderator